Hi Matt -
Our ultimate goal is to deliver all security patches through two mechanisms:
- WindowsUpdate for customers who would like to have all needed patches automatically installed on their machines with a minimum of effort.
- The Download Center for customers who want to download patches and install them manually, or who want to deploy patches throughout a network. The DC eventually will replace ftp.microsoft.com.
Right now, we're in transition. We are no longer deploying patches to the FTP site, and will soon start migrating older patches from the FTP site to the DC. All new patches are being deployed to the DC. In some cases, they're also being deployed to the WindowsUpdate site. Whether or not a patch goes to WindowsUpdate depends on what platform it's intended for -- Windows 95, 98 and 2000 support WindowsUpdate, but Windows NT 4.0 does not.
There's usually a lag between when we deploy a patch via the DC, and when it's available via WindowsUpdate. As you can imagine, it's a mammoth job to set up and test the scripts to sniff every possible combination of machines, OSes, and applications, and apply the right version of the patch to each one. As a result, WindowsUpdate is refreshed according to a predefined schedule. When a patch is ready for release, we deploy it to the DC, and then put it into the queue for the next WindowsUpdate refresh. That way, customers can assess the tradeoff between the urgency of the patch and the ease of installation, and choose whether to get it immediately from the DC or wait until it's available from WindowsUpdate.
Hope that helps explain what we're doing. Regards,
[EMAIL PROTECTED]
Microsoft has a new acknowledgment policy for security bulletins. http://www.microsoft.com/security/bulletins/policy.asp
-----Original Message-----
From: Matt Davis [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 19, 2000 2:01 PM
To: [EMAIL PROTECTED]
Subject: Re: Microsoft Security Bulletin (MS00-005)
Which brings up a good question.. What makes a vulnerability
WindowsUpdate material?
Why does Microsoft not put all security/bug fixes on the Windows Update
site as recommended updates?
On Wed, 19 Jan 2000 [EMAIL PROTECTED] wrote:
> Interesting that this is not a part of Windows 98's Windows
> Update. If it was a serious enough vulnerability to fix you would
think
> that it would also be easy to download and install without subscribing
to
> any security related lists. :>
>
> _John
---
Matt Davis - ICQ# 934680
http://dogpound.vnet.net/~bigdog/
NoWonder UNIX Tech - http://www.nowonder.com
I think someone should have had the decency to tell me the luncheon was
free. To make someone run out with potato salad in his hand, pretending
he's throwing up, is not what I call hospitality.
smime.p7s